Tuesday, January 18, 2011

China CERT: We Missed Report On SCADA Hole

China's Computer Emergency Response Team (CERT) admitted that it missed a September e-mail message from a researcher at NSS Labs that pointed out a critical vulnerability in a commonly used SCADA (Supervisory Control And Data Acquisition) software package. The lapse resulted in a gap of almost four months before the hole was patched.

Threatpost first wrote about the heap overflow in software produced by Wellintech on Monday, after researcher Dillon Beresford wrote that his efforts to inform the company about the hole - one of many he has uncovered in Chinese SCADA packages - had hit a wall. In an unsigned e-mail to Threatpost.com, the Chinese CERT said the organization missed Beresford's September e-mail identifying the remotely exploitable hole, and only became aware of the vulnerability in the Kingview Version 6.5.3 in late November, after a senior member of the vulnerability analysis team at U.S. CERT contacted the organization.

"After tracing back all email history based on the content of the report, we found that the email from Dillon Beresford on Sep.28 had been missed by the duty staff," the e-mail reads. Apparently, the Chinese CERT (CNCERT) is struggling to stay on top of the volume of e-mail reports it is receiving. "Our public incident report email box receives thousands of emails everyday. It's a big pity, as well as a mistake that our duty staff have not notice such an important email," CNCERT acknowledged.

The acknowledgement suggests that China's main clearinghouse for information on software security issues may be experiencing growing pains. According to a time line provided by CNCERT, after learning of the hole from U.S. CERT member Art Manion in late November, CNCERT verified the hole and notified vendor, Wellintech, of the hole. The company verified its existence, as well, and provided a report on it to the China National Vulnerability Database (CNVD), according to protocol. CNCERT and the CNVD worked with the company towards a patch. That patch was completed and published on December, 15, according to the timeline, but no notice of that was sent back to CNVD and CNCERT appears to have been unaware that it was issued.